Difference between revisions of "AppArmor"
Jump to navigation
Jump to search
| (13 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | [[wikipedia:AppArmor]] ("Application Armor") is a [[Linux kernel]] [[Linux Security Modules|security module]] that allows the system administrator to restrict programs' capabilities with per-program profiles. | |
| − | [[wikipedia:AppArmor]] | ||
apparmor_status | apparmor_status | ||
| − | /etc/apparmor.d/[[libvirt]] | + | [[/etc/apparmor.d/]][[libvirt]]/ |
May 01 17:34:39 g-cc audit[188993]: AVC apparmor="DENIED" operation="open" profile="snap.[[rocketchat-server]].rocketchat-mongo" name="/proc/188993/net/netstat" pid=188993 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 | May 01 17:34:39 g-cc audit[188993]: AVC apparmor="DENIED" operation="open" profile="snap.[[rocketchat-server]].rocketchat-mongo" name="/proc/188993/net/netstat" pid=188993 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 | ||
| − | To disable AppArmor: | + | To disable [[AppArmor]]: |
| + | [[GRUB_CMDLINE_LINUX_DEFAULT]]="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0" | ||
| + | [[update-grub]] | ||
| + | |||
| + | |||
| + | cat /proc/[[cmdline]] | ||
| + | |||
sudo [[systemctl disable]] apparmor | sudo [[systemctl disable]] apparmor | ||
[[reboot]] | [[reboot]] | ||
| + | == News == | ||
| + | * AppArmor support is stable in [[K8s v1.31]] (Aug 2024) | ||
== Related terms == | == Related terms == | ||
* [[Canonical]] | * [[Canonical]] | ||
| − | + | * [[kubelet is posting ready status. AppArmor enabled]] | |
| + | * Kubernetes changelog: AppArmor profiles can now be configured through fields on the [[PodSecurityContext]] and container [[SecurityContext]] | ||
== See also == | == See also == | ||
| − | |||
* {{AppArmor}} | * {{AppArmor}} | ||
| − | |||
* {{security modules}} | * {{security modules}} | ||
[[Category:Linux]] | [[Category:Linux]] | ||
Latest revision as of 18:41, 27 October 2024
wikipedia:AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles.
apparmor_status
/etc/apparmor.d/libvirt/
May 01 17:34:39 g-cc audit[188993]: AVC apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/188993/net/netstat" pid=188993 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
To disable AppArmor:
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT apparmor=0" update-grub
cat /proc/cmdline
sudo systemctl disable apparmor reboot
News[edit]
- AppArmor support is stable in K8s v1.31 (Aug 2024)
Related terms[edit]
- Canonical
- kubelet is posting ready status. AppArmor enabled
- Kubernetes changelog: AppArmor profiles can now be configured through fields on the PodSecurityContext and container SecurityContext
See also[edit]
- AppArmor,
/etc/apparmor.d/libvirt,apparmor_status - Mandatory access control: AppArmor, SELinux, seccomp, System Integrity Protection (macOS)
Advertising:
